Privacy Policy

Last updated: March 2026

1. Controller

Latrock GmbH
Im Obergrund 2, 65232 Taunusstein
Email: contact@zeitbro.com

("we", "us", "our") is the controller within the meaning of Art. 4(7) GDPR for the processing of personal data described below.

We are not required to appoint a Data Protection Officer under Art. 37 GDPR. For data protection inquiries, contact us at contact@zeitbro.com.

Competent supervisory authority:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
https://datenschutz.hessen.de

2. What Data We Collect

2.1 Account Data

When you register, we collect:

  • Name
  • Email address
  • Hashed password (for email/password sign-up)
  • OAuth profile information (for social sign-up via Google or GitHub)

2.2 Usage Data

When you use the service, we process:

  • Time entries (come/leave times, pause, work minutes, status)
  • Project tasks and durations
  • User settings and preferences
  • Device identifiers and heartbeat timestamps for timer conflict prevention

2.3 Technical Data

Our infrastructure providers may automatically collect:

  • IP address
  • Browser type and version
  • Device information
  • Timestamps of requests

3. Legal Basis (Art. 6 GDPR)

We process your data on the following legal bases:

  • Art. 6(1)(b) GDPR - Performance of contract: processing necessary to provide the time tracking service you signed up for.
  • Art. 6(1)(f) GDPR - Legitimate interest: technical logging for security and service stability.

3.1 Automated Decision-Making

We do not use automated decision-making or profiling as defined in Art. 22 GDPR.

4. Data Processors

We use the following third-party processors. A data processing agreement pursuant to Art. 28 GDPR is in place with each processor.

  • Convex, Inc. (USA, data hosted in EU) - Backend database and serverless functions
  • Vercel, Inc. (USA, data hosted in EU) - Web application hosting
  • Mailgun Technologies, Inc. (USA, data hosted in EU) - Transactional email delivery
  • Google Ireland Ltd. (Ireland) - Google Analytics for audience measurement (only after your consent)

5. International Data Transfers

All data processors store and process your data within the European Union. The processor companies are headquartered in the USA and participate in the EU-US Data Privacy Framework.

6. Cookies & Audience Measurement

To operate the application we use strictly necessary cookies (session tokens for authentication). No consent is required for these under Section 25(2) TDDDG.

On our public website we use Google Analytics 4 (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland) for audience measurement — but only after you have explicitly consented via our cookie banner (Art. 6(1)(a) GDPR, Section 25(1) TDDDG). We use Google Consent Mode: without your consent, no analytics cookies are set; the IP address is processed in truncated form and not stored.

You can withdraw your consent at any time with effect for the future via the "Cookie settings" link in the footer. For more information on Google's data processing, see Google's Privacy Policy.

7. Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Data transmission encryption (TLS/HTTPS)
  • Encryption at rest for stored data
  • Hashed password storage (bcrypt)
  • Access control based on the principle of least privilege
  • Regular security reviews of our infrastructure

8. Data Retention & Breach Notification

We retain your data for as long as your account exists. When you delete your account, all personal data is deleted. We may retain anonymized, aggregated data for service improvement and analytics purposes.

Technical log data (server logs) is retained for a maximum of 90 days. If we introduce payment features in the future, billing data will be retained in accordance with commercial and tax law retention periods (10 years, HGB/AO).

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Art. 34 GDPR. The competent supervisory authority will be informed within 72 hours in accordance with Art. 33 GDPR.

9. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR)
  • Withdraw consent at any time with future effect (Art. 7(3) GDPR)

To exercise your rights, email contact@zeitbro.com. We will respond within one month (Art. 12(3) GDPR). You can export your data from Settings at any time.

10. Changes

We may update this privacy policy from time to time. We will notify you of material changes by email or through the service. Material changes require re-acceptance through the Service.